SideWinder South Asia diplomatic spear-phishing campaign using PDF and ClickOnce
Campaign
Summary
Hide ▲
Show ▼
A SideWinder campaign used four waves of spear-phishing from March through September 2025, reaching a European embassy in New Delhi and organizations in Sri Lanka, Pakistan, and Bangladesh. The operation matters because it pairs diplomatic targeting with espionage-focused malware delivery, raising the risk of credential theft and hidden access. It also shows a shift to a PDF and ClickOnce infection chain layered on top of earlier Word-based tradecraft.
Related Happenings
Grandoreiro DLL side-loading campaign targeting banks in Portugal
Campaign
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
**Grandoreiro** is running a new **DLL side-loading** campaign against **banks in Portugal**, extending a long-lived banking-malware operation into **2026**. The latest wave uses...
Grandoreiro DLL side-loading campaign targeting banks in Portugal
CampaignAbout this happening: **Grandoreiro** is running a new **DLL side-loading** campaign against **banks in Portugal**, extending a long-lived banking-malware operation into **2026**. The latest wave uses...
Augmented Marauder / Water Saci multi-pronged phishing campaign targeting Latin America and Europe
Campaign
First: 01.04.2026 15:36
Last: 01.04.2026 15:36
Sources 1
About this happening:
**Water Saci** is actively evolving a **WhatsApp Web worm** in **Brazil** that uses **HTA** and **PDF** lures to deliver a **banking trojan**. The latest wave shifts from **PowerS...
Augmented Marauder / Water Saci multi-pronged phishing campaign targeting Latin America and Europe
CampaignAbout this happening: **Water Saci** is actively evolving a **WhatsApp Web worm** in **Brazil** that uses **HTA** and **PDF** lures to deliver a **banking trojan**. The latest wave shifts from **PowerS...
Evasive Panda DNS poisoning MgBot espionage campaign
Campaign
First: 26.12.2025 16:44
Last: 26.12.2025 16:44
Sources 1
About this happening:
**Evasive Panda** ran a **highly targeted cyber espionage campaign** that used **DNS poisoning** to deliver **MgBot** to victims in **Türkiye, China, and India**. The operation wa...
Evasive Panda DNS poisoning MgBot espionage campaign
CampaignAbout this happening: **Evasive Panda** ran a **highly targeted cyber espionage campaign** that used **DNS poisoning** to deliver **MgBot** to victims in **Türkiye, China, and India**. The operation wa...
Tomiris 2025 government-targeting campaign
Campaign
First: 01.12.2025 07:07
Last: 01.12.2025 07:07
Sources 1
About this happening:
The **Tomiris 2025 campaign** is using **phishing** and **public-service C2** to target **foreign ministries**, **intergovernmental organizations**, and **government entities**, i...
Tomiris 2025 government-targeting campaign
CampaignAbout this happening: The **Tomiris 2025 campaign** is using **phishing** and **public-service C2** to target **foreign ministries**, **intergovernmental organizations**, and **government entities**, i...
APT24 BadAudio multi-delivery espionage campaign
Campaign
First: 21.11.2025 00:12
Last: 21.11.2025 00:12
Sources 1
About this happening:
**APT24** is running a **three-year espionage campaign** with **BadAudio** that has expanded into multiple delivery methods, increasing the operation's reach and stealth. Since **...
APT24 BadAudio multi-delivery espionage campaign
CampaignAbout this happening: **APT24** is running a **three-year espionage campaign** with **BadAudio** that has expanded into multiple delivery methods, increasing the operation's reach and stealth. Since **...
Timeline
-
28.10.2025 06:01 1 articles · 7mo ago
SideWinder South Asia diplomatic spear-phishing campaign using PDF and ClickOnce
Initial DisclosureThe initial phase began with **spear-phishing emails** sent in **four waves** from **March through September 2025**. Early lures used **PDF** and **Microsoft Word** documents to pull targets into the infection chain.
Show sources
- SideWinder Adopts New ClickOnce-Based Attack Chain Targeting South Asian Diplomats — thehackernews.com — 28.10.2025 06:01